Package configuration with /tmp mounted noexec
Hi, I've got /tmp mounted rw,noexec,nosuid,nodev because I think I read somewhere that that was a good way to go security-wise. It seems that some package related configuration stuff writes temporary scripts into /tmp, which then don't run because /tmp's mounted noexec Should perhaps such scripts be placed elsewhere? /var/tmp? Is mounting /tmp noexec a bit pointless? Andrew
Re: Package configuration with /tmp mounted noexec
on Tue, Oct 23, 2001 at 02:37:23PM +1000, Andrew Pollock ([EMAIL PROTECTED]) wrote: Hi, I've got /tmp mounted rw,noexec,nosuid,nodev because I think I read somewhere that that was a good way to go security-wise. It is, but... It seems that some package related configuration stuff writes temporary scripts into /tmp, which then don't run because /tmp's mounted noexec ...it creates problems. Incidentally, what package is doing this? I'd been asked this onece after sugesting 'noexec' and wasn't aware of specific executables. I've also found that the PCMCIA cardmgr wants to put a device file on /tmp, and had to modify the init.d script for it to do a remount. Should perhaps such scripts be placed elsewhere? /var/tmp? Is mounting /tmp noexec a bit pointless? If you *do* specify a TEMP=/var/tmp, most (but not all) applications will respect it (though not necessarially in the morning). Note that *any* mount option is going to be relatively easy to change with the -remount option -- this can be done without umounting the partition. I'd prolly aquiesce and mount /tmp executable, seeing as there are several pretty trivial ways of getting around this exclusion, so it is somewhat pointless. Peace. -- Karsten M. Self kmself@ix.netcom.com http://kmself.home.netcom.com/ What part of Gestalt don't you understand? Home of the brave http://gestalt-system.sourceforge.net/ Land of the free Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org Geek for Hire http://kmself.home.netcom.com/resume.html pgpJPtKSiJmCs.pgp Description: PGP signature
Re: Package configuration with /tmp mounted noexec
On Tue, 23 Oct 2001, Karsten M. Self wrote: on Tue, Oct 23, 2001 at 02:37:23PM +1000, Andrew Pollock ([EMAIL PROTECTED]) wrote: Hi, I've got /tmp mounted rw,noexec,nosuid,nodev because I think I read somewhere that that was a good way to go security-wise. It is, but... It seems that some package related configuration stuff writes temporary scripts into /tmp, which then don't run because /tmp's mounted noexec ...it creates problems. Incidentally, what package is doing this? I'd been asked this onece after sugesting 'noexec' and wasn't aware of specific executables. I've also found that the PCMCIA cardmgr wants to put a device file on /tmp, and had to modify the init.d script for it to do a remount. This particular occasion was the faqomatic package, I was upgrading to the version in unstable. I'm not sure whether it's a debconf thing or a Perl thing. I'm still learning the internals of packages, and the scripts internal to the package don't make a lot of sense to me at the moment. Should perhaps such scripts be placed elsewhere? /var/tmp? Is mounting /tmp noexec a bit pointless? If you *do* specify a TEMP=/var/tmp, most (but not all) applications will respect it (though not necessarially in the morning). Note that *any* mount option is going to be relatively easy to change with the -remount option -- this can be done without umounting the partition. I'd prolly aquiesce and mount /tmp executable, seeing as there are several pretty trivial ways of getting around this exclusion, so it is somewhat pointless. Yeah, I think I'll do that. Andrew
Re: Package configuration with /tmp mounted noexec
On Tue, Oct 23, 2001 at 02:37:23PM +1000, Andrew Pollock wrote: I've got /tmp mounted rw,noexec,nosuid,nodev because I think I read somewhere that that was a good way to go security-wise. It seems that some package related configuration stuff writes temporary scripts into /tmp, which then don't run because /tmp's mounted noexec There's already been a bug filed about this and bounced around a few places (eventually ending up with debconf), so if you're running unstable then with any luck you should find that it's fixed soon. Should perhaps such scripts be placed elsewhere? /var/tmp? Is mounting /tmp noexec a bit pointless? noexec is really just a sanity check anyway as far as interpreted scripts are concerned. (Compare '/tmp/foo' with 'perl /tmp/foo'.) nodev and nosuid are more useful. -- Colin Watson [EMAIL PROTECTED]
Re: Package configuration with /tmp mounted noexec
on Tue, Oct 23, 2001 at 06:28:18PM +1000, Andrew Pollock ([EMAIL PROTECTED]) wrote: On Tue, 23 Oct 2001, Karsten M. Self wrote: on Tue, Oct 23, 2001 at 02:37:23PM +1000, Andrew Pollock ([EMAIL PROTECTED]) wrote: Hi, I've got /tmp mounted rw,noexec,nosuid,nodev because I think I read somewhere that that was a good way to go security-wise. It is, but... It seems that some package related configuration stuff writes temporary scripts into /tmp, which then don't run because /tmp's mounted noexec ...it creates problems. Incidentally, what package is doing this? I'd been asked this onece after sugesting 'noexec' and wasn't aware of specific executables. I've also found that the PCMCIA cardmgr wants to put a device file on /tmp, and had to modify the init.d script for it to do a remount. This particular occasion was the faqomatic package, I was upgrading to the version in unstable. I'm not sure whether it's a debconf thing or a Perl thing. I'm still learning the internals of packages, and the scripts internal to the package don't make a lot of sense to me at the moment. Hmm... Sounds like the install scripts may be somewhat borked. I've taken a quick read through debian-policy and I'm not sure this does or doesn't correspond. Might not hurt to ask though. Note that *any* mount option is going to be relatively easy to change with the -remount option -- this can be done without umounting the partition. I'd prolly aquiesce and mount /tmp executable, seeing as there are several pretty trivial ways of getting around this exclusion, so it is somewhat pointless. Yeah, I think I'll do that. It's the easy way out, and I don't think it's too far wrong. Peace. -- Karsten M. Self kmself@ix.netcom.com http://kmself.home.netcom.com/ What part of Gestalt don't you understand? Home of the brave http://gestalt-system.sourceforge.net/ Land of the free Free Dmitry! Boycott Adobe! Repeal the DMCA! http://www.freesklyarov.org Geek for Hire http://kmself.home.netcom.com/resume.html pgpV2HqGweW2O.pgp Description: PGP signature